Introduction
With the advent and ubiquity of the internet, businesses are increasingly relying on digitalization to survive and thrive in today’s business environment. But despite the advantages brought by technological advancements, there are problems that these businesses need to contend with. Cybersecurity violations are a significant issue for companies and can cause much damage. So, to address this problem, Socket launched its cybersecurity platform to help companies protect themselves against software supply chain attacks.
These businesses use the cybersecurity platform to protect their software applications and critical services from malware and security threats originating in open-source code.
Socket Founder Journey
Founded by Feross Aboukhadijeh, the company was founded in 2021 with the vision to protect open-source ecosystems for companies. Its focus was on open-source software, which enables teams to build powerful applications in a shorter time. Moreover, anyone in the group can inspect and contribute to the code.
Aboukhadijeh realized that, as a generally trusting community, some attackers take advantage of this trust and openness to carry out brazen supply chain attacks. There has been unprecedented growth in the scale of open-source malware. Such is the rate of increase that concerns circulated about the continued usage of open-source software.
There are reasons why tried and trusted approaches have not worked to protect open source. The entire security industry has always been preoccupied with scanning for known vulnerabilities, a too-reactive approach to stopping an active supply chain attack. It can take weeks or months to discover exposures.
In today’s culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even hours. This isn’t enough time for a CVE to be created and make its way into the vulnerability scanning tools that teams use.
Supply chain attacks and vulnerabilities are very different, and they need very different solutions:
⚠️ An open-source maintainer accidentally introduces vulnerabilities. Sometimes, it is okay to ship a vulnerability to production if it has a low impact.
⛔️ An attacker intentionally introduces supply chain attacks. It is never okay to send malware to show. You must catch it before you install it or depend on it.
Teams that want to address supply chain attacks currently have two options:
1. Do a full audit
Read every line of code in all dependencies. Very few companies do this, but it is the gold standard for preventing supply chain attacks. It takes a full-time team to manage this process—the audits, the updates, the allowlist, and the application of critical security patches. This approach is out of reach for all but the most prominent companies or the most security-critical applications. It’s lots of work, it’s slow, and it’s expensive.
2. Do nothing
Cross your fingers and hope for the best. This is the option that most teams take. On most units, any developer can install any dependency to get the job done, and no one even looks at the code in these dependencies before approving the pull request. As you might expect, this approach leaves companies entirely vulnerable to supply chain attacks.
Neither approach is ideal
While developing the Wormhole app (an end-to-end encrypted file transfer tool), the company experienced the challenges of selecting, managing, and updating open-source dependencies amidst a constant onslaught of supply chain attacks. This led to the need for a dire solution to the problem.
And so, the company investigated what attackers do once they’ve compromised a package. Nearly every supply chain attack in the JavaScript ecosystem followed a familiar pattern.
Once the attacker got control of a package, they added install scripts, network connections, shell commands, filesystem access, or obfuscated code. Others used social engineering, such as typo-squatting; this provided the right direction for a solution.
Open Source Packages
The innovative solution assumes that all open-source packages may be malicious and work backward to proactively detect signs of compromised packages. The company sought the simplest way to mitigate this risk without hurting usability.
And so, they set out to help developers safely use open source without sacrificing development speed. Over the following months, Socket came into existence with its popular open-source packages.
The company can detect the tell-tale signs of a supply chain attack by statically analyzing open-source packages and their dependencies. It then alerts developers when packages change in security-relevant ways, highlighting events such as the introduction of install scripts, obfuscated code, or usage of privileged APIs such as shell, network, filesystem, and environment variables.
Package Issues
For instance, to detect if a package uses the network, Socket looks at whether fetch(), Node’s net, diagram, DNS, HTTP, or HTTPS modules are used within the package or any of its dependencies. If a new version of a package – especially a minor or patch version – adds code to communicate with the network, that’s a huge red flag. And so, the Package issues are detected.
The customer response to the company’s digital products and services has been stellar! The company has been protecting thousands of organizations and tens of thousands of repositories in two months since its launch.
The company’s customers consist of businesses that want to protect themselves from attacks. It takes just a few minutes to get protected from supply chain attacks by installing the company app.
Socket Message to customers and viewers:
“Open-source libraries are more popular than ever before. With open-source code making up 80-90% of most codebases, it is critical to manage it effectively to reduce an organization’s security risk.
Open-source components have become increasingly popular vectors for software supply chain attacks in the past year. Using third-party dependencies without proper vetting can lead to hacking, breaches, and various security issues. Socket detects supply chain attacks before disaster strikes, preventing security issues caused by open-source code in real-time.
Socket offers much more than basic vulnerability scanning. By integrating directly into the developer workflow, Socket prevents attacks you don’t expect – malware, hidden code, typo-squatting, and misleading packages.
Socket helps developers take charge of the health of their dependencies by telling them what open source they are using, what it is doing (or could do), and which components are at the highest risk. By surfacing security information directly inline in GitHub and other source control systems, developers can avoid security issues before making it into production.”
